Comtarsia
SignOn
Agent for Linux 2003
User
Guide
December 4, 2003
Version 2003 – Build 1.1.5.11
Contents
1.4 Starting and Stopping of SignOn
Agent
1.7 Configuration Parameter Description
SignOn Agent for Linux
is a member of the Comtarsia SignOn Gate product family.
SignOn Agent consists
of two modules: system module and Samba module.
This module is responsible for maintaining Linux user accounts.
It has following functions:
This module is responsible for maintaining Samba user accounts.
It has following functions:
o
Creation
of new Samba user accounts
o
Synchronization
of user passwords
SignOn Agent for Linux
features a variety of configuration options by means of which you can
individually customize individual agent functions.
Synchronization of
Linux system accounts can be used for terminal users who are directly working
on the system (e.g. via Telnet or SSH) as well as for users who are using Linux
system applications which make use of system accounts (e.g. POP/IMAP server,
web server).
Comtarsia SignOn Agent
is available for a multitude of platforms and applications besides of Linux.
For more information please refer to the Comtarsia SignOn homepage at http://signon.comtarsia.com/
System Requirements for installation of SignOn
Agent Daemon:
·
SUSE Linux Version 8.1 / SCO Linux Server
Release 4.0
·
RedHat Linux 8.0 (soon available)
Please note that supplied program libraries can
vary widely with Linux distributions. Therefore you have to make sure you are
using the SignOn Agent version that is compiled for your specific distribution.
Requirements for using Sync Agent for Linux:
·
TCP/IP protocol with static IP configuration
Extract
the file sa_linux_X.X.X.tar.gz into a new directory with this command:
„tar zxvf sa_linux_1.0.1.tar.gz“. Now change into directory
sa_linux and execute the installation program with command „./sainstall“.
Permissions as root are required for installing SignOn Agent.
During
installation you will be asked for the SignOn Agent program directory as well
as the IP address of the SyncProxy server.
SignOn Agent will be installed so that it
automatically starts upon rebooting of the Linux system. You can customize this
behavior to your requirements by changing the Runlevel links.
Use this script to
start and stop SignOn Agent: „/etc/SignOn Agent/SignOn Agentctl“.
To start it execute
the following command as root:
„/etc/SignOn Agent/SignOn
Agentctl start“
Stopping works similar
to starting:
„/etc/SignOn Agent/SignOn
Agentctl stop“
If you change
configuration parameters while SignOn Agent is active you have to restart the
agent for changes to become effective.:
„/etc/SignOn Agent/SignOn
Agentctl restart“
The
following chapter describes the necessary steps to assign a Logon Client user a
share on a Samba server.
Task
formulation:
A
share is created on the Samba server, to which all users with the group
membership „lnxgrp1“ should have access. The user management is done under OS/2, the resource itself is on the Samba server.
Tasks under OS/2:
The
group „lnxgrp1“ needs to be assigned to all OS/2 users which should have access
to the new Samba share. If needed, the Group-Mapping functionality of the
Servolution
SignOn Agent
for Linux can be used to map a specific OS/2 group to a Linux group.
Create
the alias under OS/2:
net
alias ALIASNAME \\LINUXSERVER c:\daten11
The
local directory name (in this case c:\daten11) doesn’t need to exist on the OS/2 server,
because the resource is on the Samba server, but an arbitrary directory needs to be
specified.
Assign
the alias to a user:
net
user USERNAME /assign X:daten11
„X“
is the drive letter on which the share will be assigned for the specific user.
Tasks under Linux/Samba:
The
share folder needs to be created e.g.: „mkdir /shares/daten11“ and correct access
permission must be set, e.g.
drwxrws--- 3 root
lnxgrp1 208 Jun 12 11:18
daten11
Subsequently the share must be defined in the Samba
configuration file „smb.conf“ (default under /etc/samba/).
You
need to create the following section in the file „smb.conf“.
[daten11]
comment = daten11
path = /shares/daten11
create mask = 0660
directory mask = 0770
writeable = yes
public = no
valid users = @lnxgrp1
You have to deinstall SignOn Agent for Linux
manually.
Delete the following files/directories:
/etc/SignOn Agent
SignOn Agent bin directory e.g.: /usr/local/SignOn
Agent
Soft links in the run level directories
(/etc/init.d/, /etc/init.d/rc3.d, /etc/init.d/rc5.d)
The configuration file for SignOn Agent for
Linux can be found at /etc/SignOn Agent/SignOn Agent.conf.
#####################################################################
#
# SignOn Agent.conf
# /etc/SignOn Agent/SignOn Agent.conf is the configuration file for the
# Servolution SignOn Agent daemon Version 1.0.1
# Copyright (c) 2003 Comtarsia It Services GmbH
#
#####################################################################
# Configuration settings for the CORE module
#
[SA_CORE]
# Defines if sync request message is encrypted. Must be ALWAYS 1, if this
# parameter is set to 0 severe problems can occur.
# Default: 1
cryptMessage=1
# Defines the installation directory for the SignOn Agent daemon
# Default: /usr/sbin/SignOn Agent
workingDirectory=/usr/sbin/SignOn Agent
# Specifies the listener port for incoming sync requests coming from
# the sync proxy. If changing this parameter be sure that the selected port
# number is not used by other services.
# Default: 2000
listenerPort=2000
# Specifies the maintenance listener port for the maintenance interface. You
# can connect yourself to the maintenance interface with a TELNET client. When
# connected HELP can be invoked by pressing "? ENTER". If changing this
# parameter be sure that the selected port number is not used by other services.
# This is not supported in the current version.
# Default: 3000
maintenancePort=3000
# Defines the standard socket receive timeout for PROXY communication in seconds.
# On expiration of this value the socket connection will be closed by the
# SignOn Agent. This case is shown in the logfile (if logging is activated) as
# "receive error". If this error accumulates contact your network administrator.
# Default: 4
rcvTimeout=4
# Configuration settings for the LOG module
#
[SA_LOG]
# Defines if logging is activated without a maintenance connection, must be 1 if
# you want to log to file.
# Example cases when file logging is activated:
# 1) logToFile=1 AND a maintenance connection is established AND the maintenance
# command "log start" is performed.
# 2) logAlways=1 and logToFile=1
# Default: 1
logAlways=1
# Specifies the logfile name (path has to be included)
# Default: /var/log/ComtSignOn Agent.log
logFileName = /var/log/ComtSignOn Agent.log
# Defines the desired log level. Loglevel should at least be set to 1 to log all
# error messages which will occur. For more exact system analyses set this
# parameter to a higher level (e.g. during system test phase).
# Be aware that higher log levels than 1 especially 3 (if file logging is activated)
# could consume on high SignOn Agent load a not to neglect amount of disk space.
# 0 no log
# 1 only errors
# 2 log messages
# 3 verbose log level
# Default: 1
logLevel=1
# Specifies if the log output should be written to "logFileName".
# For more information see [SA_LOG] -> logAlways.
# Default: 1
logToFile=1
# Defines the maximum logfile size in bytes. If this size is reached
# a backup copy of the logfile is made (naming convention is
# <logFileName>_YEAR_MONTH_DAY_HOUR_MINUTE_SECOND) and the logfile
# size is set to 0. If free disk space is less than 50 megabytes the oldest logfile
# backup copy will be deleted.
# Default: 102400
maxLogFileSize=1024000
# Configuration settings for the SYSTEM module
#
[SA_SYSTEM]
# Specifies if the SYSTEM sync module is enabled. The SYSTEM sync module is
# responsible for UNIX user AUTHENTICATION, UNIX user CREATION, UNIX
# PASSWORD synchronization and UNIX GROUP synchronization.
# All further modules will be not processed if the SYSTEM
# module fails. Thus "syncEnabled" must be ALWAYS 1
# Default: 1
syncEnabled=1
# Specifies the policy bit field flags for syncing.
# If a previous level fails further operation is canceled.
# (e.g.)
# 0x1 check password (must be ALWAYS set)
# 0x2 create user (must be ALWAYS set)
# 0x4 update user (update the user's supplementary groups)
# default = 7 (all bits set)
syncPolicy=7
# Specifies if the user's home directory should be created
# Default: 1
createHomeDir=1
# Specifies if on directory creation the users' home directory
# mask should be changed.
# Default: 1
changeHomeDirPermission=1
# Specifies the home directory mask to use (octal)
# Default: 0700
homeDirPermissionMask=0700
# Specifies if groupmapping is enabled (1 = group mapping is enabled).
# When groupmapping is disabled the supplementary group list send by the client
# is used to update the UNIX group membership.
# When group mapping is enabled (see [SA_GROUPMAPPING]) group mapping
# translation is used.
# Default: 0 (group mapping is disabled)
disableEqualGroupMapping=0
# Specifies the except groups. These are groups which will be deleted
# from the users's supplementary group list (groups are separated by ", ").
# Example: root, audio
exceptGroups=root
# Specifies the minimum GID. All groups in the supplementary group list which
# group ID is < than minGid are deleted from the user's supplementary group list.
# Default: 30
minGid=30
# Configuration settings for the SAMBA module
#
[SA_SAMBA]
# Specifies if the SAMBA sync module is enabled (1 = enabled). The SAMBA sync
# module is responsible for SAMBA user AUTHENTICATION, SAMBA user CREATION
# and SAMBA PASSWORD synchronization. If the SYSTEM module fails, the SAMBA
# module will be NOT processed.
# Default: 1
syncEnabled=1
# Proxy accept list
# List of SYNC PROXY IP's form which requests will be accepted. Sync requests
# whose sender is not in this list will be REJECTED and an entry (if logging
# is activated) in the log file is made.
# Maximum list size is 10.
# PROXY1 = ...
# PROXY2 = ...
# ...
[SA_ACCEPTLIST]
PROXY1=192.168.2.209
#PROXY2=192.168.2.206
# Groupmapping list.
# The group mapping list describes group mapping translation. The left situated
# group (SOURCE group) in a group mapping entry is checked against the group
# list send by the client. If the SOURCE group is found in the client list the
# TARGET (right situated group of a group mapping entry) group(s) will be
# added to the user's supplementary group list. Groups in the client list which
# do not match to any SOURCE group will be discarded.
# Syntax: "USERLIST GROUP" =
"SUPPLEMENTARY GROUP1" [ , "SUPPLEMENTARY
# GROUP2"...]
# Maximum list size is 32.
# Example: OS2GRP1=linuxgrp1, linuxgrp2
[SA_GROUPMAPPING]
All data sent from SyncClient and SyncProxy to SignOn
Agent are RSA encrypted.
SignOn Agent for Linux test version is using an
internal 512 bit RSA key.
A licensed version of SignOn Agent allows for using of
your own custom generated RSA keys up to a length of 2048 bit.
Note: The internal RSA key is only meant for testing
and should never be used in production environments for sake of security.